Change is coming: Mandatory personal data retention policies21Sep2020
On 20 January 2020, the Constitutional and Mainland Affairs Bureau, in collaboration with the Privacy Commissioner of Hong Kong, provided its report on recommended changes to personal data privacy law in Hong Kong. In another in his series looking at the implications of the proposed changes, Pádraig Walsh from the Privacy and Cybersecurity practice group of Tanner De Witt reviews and assesses the proposal to introduce mandatory personal data retention policies.
The current position
Presently, Data Protection Principle (DPP) 2 in the Personal Data (Privacy) Ordinance (the Ordinance) provides that personal data must not be kept longer than is necessary for the fulfillment of the purpose (including any directly related purpose) for which the data is or is to be used. Also, the data user is required to erase personal data held when the data is no longer required for the purpose for which the data was used, unless erasure is prohibited by law or erasure would not be in the public interest. There is no right of a data subject to require his personal data to be erased by a data user.
The measure of how long is necessary is prone to misinterpretation. It is often clear how long is too long. For instance, the Privacy Commissioner has dealt with a complaint in which an employee’s poor performance record was retained for a period of ten years after his employment ended. In an investigation report in respect of a data breach that affected Cathay Pacific and Hong Kong Dragon Airlines, approximately 240,000 HKID Card numbers collected under an old policy for a membership programme were retained for 13 years after the policy changed to avoid using HKID Card numbers for identity verification. Sometimes, though, asking how long is necessary is like asking how long is a piece of string.
The core reason why good data retention practices are desirable is that you cannot lose what you do not have. The longer personal data is kept, the greater the risk of data breach and the greater impact of data loss in that breach. Also, the longer personal data is kept, the more likely that it will be inaccurate and have adverse consequences to data subjects if used. There is an increased litigation risk associated with personal data help after its appropriate retention period. So holding personal data longer than necessary has risk writ large over it.
The positive benefits of having a good retention policy and practice is that it drives other good features of privacy management. For instance, a proper retention policy must be based on a reliable data inventory. A data user cannot give guidance on the retention and erasure of personal data, unless it knows the type, volume, use and location of the personal data it holds. A retention policy necessarily brings focus to processes for data erasure, and ensuring the personal data is promptly and securely destroyed. There is also a cost saving: less data is less costly to store and manage.
The issue facing the Privacy Commissioner though is that it is not possible to have a “one size fits all” approach to periods of personal data retention. Businesses hold a variety of types of personal data, and need to use that personal data for a variety of purposes. A uniform data retention period, and related policies, is not practicable.
The Privacy Commissioner proposes to amend DPP5 in the Ordinance. This principle requires that data users must take all practicable steps to ensure that a person can ascertain its policies and practices in respect of personal data. This is a principle of openness and transparency. This will be amended to require that data users must include a data retention policy as part of its policies and practices.
The change to the Ordinance will be supplemented by templates and guidelines published by the Privacy Commissioner. These can be expected to give guidance on:
- how to prepare data inventories to identify categories of personal data
- the common legal requirements for retention of specific categories of personal data (e.g. tax, employment, regulatory)
- how to assess the duration for an appropriate data retention period
- how to calculate when a data retention period should start
- how data retention should be linked to policies in privacy management on data security and data erasure
Steps to introduce a Data Retention Policy
Step 1: Compile a Data Inventory
A Data Retention Policy must be customized to the kind of data held by the data user. Before a Data Retention Policy is written, the data user must ensure it has an accurate and complete Data Inventory. A Data Inventory should:
- describe the kind of personal data
- identify the category of data subject
- state the location of the personal data
- state the format in which the personal data is stored
- state whether the personal data was provided by a third party
- state the purpose for which the personal data may be used
- state the retention period or date by which the personal data should be destroyed
- state access and transfer controls in respect of the personal data
A Data Inventory provides a baseline for the next step in creating a Data Retention Policy.
Step 2: Prepare a Data Retention Legal Report
The next step is to prepare a Data Retention Legal Report that outlines the retention period for each category of personal data held by the data user. This will take account of legal or regulatory requirements that state minimum or maximum periods of retention, and impose other requirements. This is a task that is frequently supported by legal advice.
Key questions to ask in this analysis are:
- What system of law applies to the retention period?
- What legal and regulatory obligations apply in respect of the retention period?
- What industry standards apply in respect of the retention period?
- What is the specific source or authority for the retention period?
- When does the retention period start?
- What fines, penalties or other sanctions can be imposed for non-compliance?
Step 3: Index, archive and digitise
Once the Data Inventory and Data Retention Legal Report are prepared, the next step in the process is to develop and implement a system to index and archive the personal data records. This will assist the efficient retrieval of records, and also facilitate the prompt and secure destruction of those records on expiry of the retention period.
Most records can be digitised. This is advantageous as a space and cost-saving measure. However, certain records may need to be kept in original written paper form and should not be digitised. Even if records are digitised, proper access and change controls and audit standards must be set to ensure that the authenticity and evidential value of the digitised copy is preserved. Also, a data minimisation principle should be applied to the digitisation process. Only digitise what must be kept, and consider securely destroying what need not be kept.
Step 4: Review secure destruction processes
The final step in preparing the Data Retention Policy should focus on the secure destruction of personal data. The analysis should focus on and adopt the following:
- Monitor and implement a review cycle to identify and allocate personal data records for destruction.
- Check to ensure there is no contractual, legal or regulatory requirement to retain the personal data.
- If the destruction is conducted by a third party, ensure that proper contractual obligations are in place that meet the data processing obligations of that third party.
- Review and ensure the chain of custody is secure through the destruction cycle.
- Obtain a certified secure destruction report for the personal data, stating the kind of personal data destroyed, and the date of destruction.
Personal data can be held in a variety of formats. Industry standards will guide data users on the requirements for secure destruction. This is particularly important for records maintained in digital or electronic formats. Also, particular care should be taken in respect of the destruction of archived data. For instance, for archived data, a secure destruction policy should ensure the data itself is destroyed, not just the index references to the data.
Step 5: Write the Data Retention Policy
Once these issues have been teased out, and an overview of the entire data retention process is clear, then the Data Retention Policy can be documented. The Policy should link to:
- The Data Inventory
- The Data Retention Legal Report
- Processes, systems and forms that support implementation of the Policy
- Other relevant policies, and in particular the Information Security Policy
The Policy should contain a system that enables management oversight and review, and outline a training system so that all key persons are familiar with its requirements.
The Policy should document what the data user does, but equally importantly, the data user must do what the Policy documents. This is a function of data compliance, but a well-drafted Policy properly implemented is an instrument of accountability.
Data retention policies are the unsung heroes of privacy management programmes. A good data retention policy, properly implemented, drives good behaviour that has a ripple effect of enhancing data governance in other ways throughout an organisation. The principle of data minimisation is at the core of a data retention policy. If it’s not needed, don’t keep it, and if you don’t have it, you can’t lose it. We welcome these proposed changes.
Although predicting when legislative processes conclude has an element of crystal ball gazing, we expect the proposal to require data users to have a data retention policy to be passed into law in Hong Kong in the course of 2021.
Businesses should give serious consideration now to their data retention policies. This is one of those changes in law where it is better to get out in front and ahead of the change. Why wait to introduce good data governance and management? Now is the time to:
- prepare a Data Inventory
- prepare a Data Retention Legal Report
- consider your indexing and digitisation programmes
- consider your processes for secure destruction of data
- write your Data Retention Policy
- establish your governance and management programme to oversee and implement your data retention policies.
We, at Tanner De Witt, can help you with these steps. Start preparing. Change is on the way.
If you would like to discuss any of the matters raised in this article, please contact:
Partner | E-mail
Partner | E-mail
Partner | E-mail
 See our other articles giving an overall summary of the changes, the change to the definition of personal data, the proposed administrative fining powers, and mandatory breach notification requirements.
 Section 26(1) of the Ordinance
 See Case No. 2016C02 on this link
Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.